View
44
Download
0
Category
Tags:
Preview:
DESCRIPTION
Privacy-enhancing Technologies and Identity Management. Brenda Watkins Director Policy and Business Strategies Information Technology Services Branch. Outline. - PowerPoint PPT Presentation
Citation preview
Public Works andGovernment ServicesCanada
Travaux publics etServices gouvernementauxCanada Canada
Brenda WatkinsDirector
Policy and Business StrategiesInformation Technology Services Branch
Privacy-enhancing Technologies and Identity
Management
Privacy-enhancing Technologies and Identity
Management
2
Outline
How the federal government developed and implemented a common, privacy-friendly authentication system for secure access to Government On-line (GOL) services
3
Government On-line Transactions: Canadians’ Concerns and
Expectations Surveys consistently revealed Canadians’
concerns that their Government On-line transactions could potentially allow their private information to become public or end up in the wrong hands
Expect the government to be more diligent than the private sector or banks in protecting the privacy and security of their information
5
GOL Authentication Services
Ensure that on-line participants are who they claim to be
Maintain data integrity and confidentiality of personal information
Provide evidence for non-repudiation Permit differing levels of authentication for
different service offerings Provide secure electronic signatures
6
GOL Authentication Strategy To implement a common PKI authentication service
for Canadians to conduct business with government that would:– be more user-friendly and manageable – support a range of functional and security needs– be extensible, scalable and interoperable– offer simple, efficient registration process– be both economic and strategic
Prerequisites:– on-line credentials must be secure and “portable”– browser is the client’s preferred on-line tool– privacy principles must be rigorously observed
Phased roll-out
7
Privacy by Design GOL transactions are governed by the same privacy
protections as paper-based transactions:– Federal law (Privacy Act)– Federal policies and guidelines (Privacy & Data Protection)
Developed Privacy Impact Assessment Policy to ensure that privacy is built into all federal on-line services
– GOL Authentication Services served as a successful pathfinder project demonstrating PIA is an essential architectural tool when initiated early and updated as required
– 4 iterative PIAs undertaken prior to initial launch to progressively assess conceptual models, build requirements and design throughout development
National focus testing of user experience
8
PKI – Privacy-Enhancing, But …
Binds identity to a digital certificate (distinguished names)
Potential to reveal information about user from use of certificate (inference)
Question of collection and sharing of information between government services– registration, directory
9
epass –An Elegant (and Revolutionary) Solution
Access to GOL services is via “epass” – a secure electronic credential
Differs from traditional PKI implementations:– epass certificate is anonymous – it is not bound to
the identity of an individual or entity– the only identifying data in an epass is a
randomly generated, unique number (MBUN – Meaningless But Unique Number)
– Impossible to deduce anything about the epass holder
Developed in strict adherence with privacy laws and policies
10
How epass Enhances Privacy
Registration process– User creates unique user ID and password– Encryption and signing keys are generated
and stored in double-encrypted profile accessible only to the user
– The user identifies recovery questions and answers during registration process
– epass is issued– NO identifying information is contained in the
epass – only the MBUN
11
The program is responsible for authenticating the epass holder’s identity
The authentication process is as rigorous as nature of the transaction dictates
Once the program is satisfied as to the identity of the epass holder, the epass MBUN is mapped to the program information
How epass Enhances Privacy … 2
12
epass-enabled GOL Services
CRA Address Change On-line HRSD/SDC Record of Employment CRTC filings (applications) Health Canada’s electronic
regulatory system for pesticide applications
One-quarter million epasses issued!
13
Coming Soon
Atlantic Canada Opportunities Agency Passport Office PWGSC - My Services Veterans Affairs medical records system CRA expanding use of “MyAccount”
14
RecognitionGOLD
MEDALS TO
ROE AND
SECURE
CHANNEL
For the fourth year in a row, Accenture has ranked Canada #1 in e-government maturity – specifically mentioning epass as a contributing factor
Four GTEC gold medals since 1999 – two this year:– Record of Employment– Secure Channel Project2003: for epass1999: for first implementation of a national government PKI policy
Federal Privacy Commissioner acknowledgement: “…the creative approach they have taken in addressing many of the privacy risks associated with more conventional on-line client authentication models.”
15
REGISTRATION DEMONSTRATION
Recommended